tuning sat-checkers for bounded model-checking a bounded guided tour ofer strichman carnegie mellon...
TRANSCRIPT
Tuning SAT-checkers for Bounded Model-Checking
A bounded guided tour
Ofer Strichman
Carnegie Mellon University
Model Checking
Given a: Finite transition system M(S, I, A temporal property
The model checking problem: Does M satisfy
Model Checking
Temporal properties: “Always x=y”
(G(x=y)) “Every Send is followed by Ack”
(G(Send F Ack))
“Reset can always be reached” (GF Reset)
“From some point on, always switch_on” (FG switch_on)
“Safety” properties
“Liveness” properties
Advances in Model Checking
Explicit model checking (1980 – )
Symbolic Model Checking with Binary Decision Diagrams (1991 – )
Symbolic Bounded Model Checking with SAT solvers (1999 –)
Bounded Model Checking
A.I. Planning problems: can we reach a desired state in k steps?
Verification of safety properties: can we find a bad state in k steps?
Verification: can we find a counterexample in k steps ?
(Biere, Cimatti, Clarke, Zhu, 1999)
Bounded Model Checking
Most safety properties can be reduced to “Always p” where p is propositional.
Is there a state reachable within k cycles that satisfies p ?
. . .s0 s1 s2 sk-1 sk
p p p p p
Reducing the BMC problem to SAT
p is preserved up to cycle k iff (k) is unsatisfiable:
. . .s0 s1 s2 sk-1 sk
p p p p p
Example: a two bit counter
l l rr r' ( )'
Property: Always (l r).
00
01 10
11I l r0:
(2) is unsatisfiable. (3) is satisfiable.
:
Initial state:
Transition:
( ): ( )( )
( )
( )
( )
( )
2 0 01 0 0 1 0
2 1 1 2 1
0 0
1 1
2 2
FHG
IKJ
F
HGG
I
KJJl r
l l r r r
l l r r r
l r
l r
l r
Bounded Model Checking
All Linear-time Temporal Logic (LTL) can be checked with BMC
BMC can be applied to software, e.g. C programs (Kroening, Clarke, 2002): Unwind each loop k times Represent in Single Assignment Form (SAF) Solve the resulting bit-vector verification condition
Bounded Model-Checking of software
while() loops are unwinded
void f(...) { ... while(condcond) {
Body;Body; } Rest;}
void f(...) { ... while(condcond) {
Body;Body; } Rest;}
Bounded Model-Checking of software
while() loops are unwinded
void f(...) { ... if(condcond) { Body;Body; while(condcond) {
Body;Body; } } Rest;}
void f(...) { ... if(condcond) { Body;Body; while(condcond) {
Body;Body; } } Rest;}
Bounded Model-Checking of software
while() loops are unwinded
void f(...) { ... if(condcond) { Body;Body;
if(condcond) { Body;Body; while(condcond) {
Body;Body; } } } Rest;}
void f(...) { ... if(condcond) { Body;Body;
if(condcond) { Body;Body; while(condcond) {
Body;Body; } } } Rest;}
Bounded Model-Checking of software
while() loops are unwinded iteratively
Assertion may be inserted after last iteration: violated if program runs longer than bound permits
void f(...) { ... if(condcond) { Body;Body;
if(condcond) { Body;Body; if(condcond) {
Body;Body; while(condcond) {
Body;Body; } } } } Rest;}
void f(...) { ... if(condcond) { Body;Body;
if(condcond) { Body;Body; if(condcond) {
Body;Body; while(condcond) {
Body;Body; } } } } Rest;}
Bounded Model-Checking of software
while() loops are unwinded iteratively
Assertion my be inserted after last iteration: violated if program runs longer than bound permits
void f(...) { ... if(condcond) { Body;Body;
if(condcond) { Body;Body; if(condcond) {
Body;Body; if(condcond) {
assert(FALSE); } } } } Rest;}
void f(...) { ... if(condcond) { Body;Body;
if(condcond) { Body;Body; if(condcond) {
Body;Body; if(condcond) {
assert(FALSE); } } } } Rest;}
Bounded Model Checking - First impression…
First experiments with BMC in the industry showed that it is rarely faster than model checkers, unless k is very small.
But: Model checkers enjoyed more than 10 years of R&D….
The Davis-Putnam procedure
Given k in CNF: (x,y,z),(x,y),(:y,z),(:x, :y, :z)
Decide()
Deduce()( ~1000)
Diagnose()
-xx
-zz-yy
z -z y -y
() ()
(z ),(-z ) ()
(y),(-y,z ),(-y,-z )
()
() ()
(y),(-y)
(y,z ),(-y,z )
1. Restricting Decide()
Restricting Decide() to a smaller set of variables that uniquely determines the satisfiability of (k): Model variables (~ 15 % of (k)’s variables) Input variables (~ 5 % of (k)’s variables)
Less variables to Decide() implies more variables to Deduce()
For a general CNF formula, Dynamic strategies are typically better: Most Frequent in unsatisfied clauses (DLCS) Satisfies the most clauses (DLIS) Satisfies the most shortest clauses (MOM, JW) Conflict Driven (VSIDS)
:
2. Variable ordering
Q: How well do they work with BMC formulas ?
A (CNF) dependency graph D (V,E):
A partitioning C1..Cn:
An abstract dependency graph D’(V’, E’):
2. Variable ordering (Abstract dependency graphs)
For (k) there exists a partition C1..Cn s.t. the abstract dependency graph is linear
C0 C1 C2 CkC3 Ck-1
V0 V1 V2 VkV3 Vk-1
...
2. Variable ordering (The natural order of (k))
I0~Pk
With general-purpose Decide() strategies, local sets of variables are satisfied a-synchronically
v v5 6..
v15
v2
2. Variable ordering
I0PkRiding on unreachable states...
k should satisfy I0
I0Riding on legal executions...
(k) should satisfy Pk
Pk
2. Variable ordering (simple static ordering)
Can this regularity be used to speed up the search ?
3. Exploiting (k)’s structure
3. Exploiting (k)’s structure
Conflict clauses is the main mechanism for learning
If (x3=1, y7 = 0, z5 = 1 ) leads to a conflict, add the conflict clause C: ( x3 y7 z5)
3. Exploiting (k)’s structure (Replicated clauses)
If x3=1, y7 = 0, z5 = 1 leads to a conflict, then so will x2=1, y6 = 0, z4 = 1
Therefore, we can also add: (x2 y6 z4) … (x0 y4 z2) and...(x4 y8 z6) … (xk-4 yk zk-2)
Yet, (k) is not fully symmetric because of I0.
Check whether the clauses that caused the conflict include I0 variables.
4. Exploiting (k)’s structure (Reusing clauses)
When can a conflict clause C that was learned while solving (k) be reused for solving (k+1)?
Answer: all clauses that together implied C are in (k) Å (k+1)
All clauses except the property are in (k) Å (k+1)
Results (Sec.)
Design # k RB1 RB2 Grasp SM c SM(k-1)1 18 7 6 282 3 202 5 70 8 1.1 0.8 0.43 14 597 375 76 3 9344 24 690 261 510 12 265 12 803 184 24 2 16 22 * * * 356 * * * 18 287 9 * * * 2671 10 2 1.38 35 * * * * * * 6317 20 309 38 * * * * * * 9035 25 23010 31 * * * * * * * * * 312 1061
11 32 152 60 * * * * * * * * *12 31 1419 1126 * * * * * * * * *13 14 * * * 3626 * * * * * * * * *
* * * = exceeds 10,000 sec. )Today, Chaff solves all in 7 minutes…)
Results (sec.)
Design #1
Strategy k 27 28 29 30 31 Normal time 61 102 174 144 14
time 48 21 19 44 30 replicated 2094 1704 1216 1075 450
Constraints sharing + replication added
clauses 0 482 1113 1536 2014
Design #2
Strategy k 14 15 16 17 18 Normal time 10 91 192 * *
time 13 48 214 6211 * replicated 5932 5656 7778 1.7E4 *
Constraints sharing + replication added
clauses 0 3374 5773 9806 1.6E4
The Conclusion
The original conclusion (2000): Many models that cannot be solved by BDD symbolic
model checkers, can be solved with the optimized SAT Bounded Model Checker.
The other direction is true as well
Today: BMC with SAT is dominant in finding shallow errors. BDD-based procedures are mainly used for proving their absence.
How big should k be?
For every model M and LTL property there exists k s.t.
The minimal such k is the Completeness Threshold (CT)
How big should k be?
Diameter d = longest shortest path from an initial state to any other reachable state.
Recurrence Diameter rd = longest loop-free path. rd ¸ d
d = 2
rd = 3
How big should k be?
Theorem: for Gp properties CT = d
s0
p
Arbitrary path
How big should k be?
Theorem: for Fp properties CT= rd
s0
ppppp
Open Problem: The value of CT for general Linear Temporal Logic properties is unknown
LTL model checking
Given M,, construct B
LTL model checking: is : M £ B empty ?
Emptiness checking: is there a path to a loop with an accepting state ?
! witness to G true with fairness constraint
M ² iff is empty
LTL Bounded Model Checking
“Unroll” k times Find a witness to Gtrue with the fairness constraint
s0
f